“Zero Trust” has become one of the most over-used buzzwords in modern security conversations - but behind the marketing, it represents a very real shift in how we think about Linux systems. The traditional model assumed the internal network was safe, SSH keys were forever, sudoers files were hand-managed, and once someone got inside the perimeter, lateral movement was easy. Today’s environments - from homelabs to hybrid cloud datacenters — demand something stronger.
The good news: Linux admins can implement Zero Trust principles right now using entirely open-source tools. This talk focuses on the practical, upstream methods that any sysadmin can deploy without buying an enterprise platform or restructuring their entire environment.
We start by defining Zero Trust in simple, actionable terms: “assume breach,” “never trust, always verify,” and “identity over network location.” From there, we map these principles onto everyday Linux operations and show how open-source IAM tools can enforce them automatically.
Attendees will learn how to use FreeIPA (upstream for Red Hat Identity Management) and SSSD as the backbone of an identity-aware Linux fleet: centralizing accounts, enforcing Kerberos authentication, managing SSH keys, and distributing sudo privileges through groups rather than per-machine files. We’ll explore SSH Certificate Authorities, one of the most powerful and least-deployed security capabilities in the Linux ecosystem, enabling short-lived credentials, instant revocation, and eliminating the need to copy public keys to every server.
The talk then dives into Host-Based Access Control (HBAC) for fine-grained login permissions (“database admins may only log into database servers”), and how these policies dynamically follow users based on group membership. We’ll also look at integrating sudo rules with centralized groups, removing the burden of maintaining dozens or hundreds of sudoers files across your infrastructure.
Because Zero Trust extends beyond authentication, we’ll cover practical network segmentation using firewalld zones and discuss SELinux as a policy enforcement layer that prevents processes from accessing data or network resources unless explicitly permitted - a core Zero Trust principle that many admins overlook.
Throughout the session, we emphasize quick wins: the configuration steps, commands, and workflows that attendees can implement in an afternoon. Examples include enabling centralized logins with SSSD, issuing ephemeral SSH certificates, migrating sudo access into groups, deploying HBAC rules, building a simple identity GitOps workflow with Ansible Core, and designing a small test environment to experiment safely.
Real-world lessons learned - NTP problems with Kerberos, avoiding overly permissive groups, designing manageable HBAC rules, and rolling out identity changes without locking out admins - are woven throughout the presentation. Everything is grounded in practical experience and avoids vendor pitches.
This talk is ideal for sysadmins, homelab enthusiasts, security-minded operators, and anyone managing a hybrid or multi-distro Linux environment who wants to improve security without adopting enterprise complexity. Participants will walk away with a clear roadmap for building a Zero Trust foundation using the tools they already have: FreeIPA, SSSD, SSH CAs, Keycloak (optional), firewalld, SELinux, and Ansible Core.
Zero Trust doesn’t have to be expensive, magical, or disruptive. With the right open-source tooling and a focus on identity, Linux admins can design a modern, resilient security posture that is genuinely stronger - and completely accessible to the community.
